Very Strange Behavior in INPUT Chain!
Frost
frost@engen.com
Tue, 14 Aug 2001 08:08:29 -0700
This is a multi-part message in MIME format.
------=_NextPart_000_0007_01C12498.4D6B6F80
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Hello all,
I have kind of a different setup than perhaps the norm. My Linux server has one
ethernet card (eth0) and one Frame Relay Card (pvc0) configured and working.
My problem is that I don't want anyone connecting to the IP address of the Frame
card (pvc0) because this is just a serial IP assigned by our provider. I wish
to have the public connect to our internal public IP address on eth0 for public
services ie. port 80 as an example.
* Version 1 (doesn't work)
iptables -A INPUT -i $INTIF -p tcp --syn -m state --state NEW \
-s $UNIVERSE --sport $UNPRIVPORTS \
-d $INTIP --dport http -j ACCEPT
* Version 2 (does work)
iptables -A INPUT -p tcp --syn -m state --state NEW \
-s $UNIVERSE --sport $UNPRIVPORTS \
-d $INTIP --dport http -j ACCEPT
My question is why does specifying ALL interfaces work (ver 2) and specifying
the actual interface (ver 1) doesn't. If I understand the flow correctly, when
packets reach the IN-Route stage, will they not be routed to the INPUT chain of
the Internal interface which is their destination? I can't imagine that the
FORWARD chain would even be involved as the destination IS this server.
Everything is working specifying ALL interfaces but I'm puzzled as to why and
would appreciate hearing from someone who might shed some light. Thanks a
million.
Regards,
Harv
____________________________________________________________________
Harv Frost En.gen (a Division of J. River, Inc.)
mailto:frost@engen.com 2727 W. Baseline Rd #13
http://www.engen.com Tempe, AZ 85283
ftp://ftp.engen.com Tel: 602-438-1110
------=_NextPart_000_0007_01C12498.4D6B6F80
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 5.50.4616.200" name=3DGENERATOR></HEAD>
<BODY>
<DIV><SPAN class=3D830184814-14082001><FONT face=3D"Courier New" =
size=3D2>Hello=20
all,</FONT></SPAN></DIV>
<DIV><SPAN class=3D830184814-14082001><FONT face=3D"Courier New" =
size=3D2>I have kind=20
of a different setup than perhaps the norm. My Linux server has =
one=20
ethernet card (eth0) and one Frame Relay Card (pvc0) configured and=20
working.</FONT></SPAN></DIV>
<DIV><SPAN class=3D830184814-14082001><FONT face=3D"Courier New"=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D830184814-14082001><FONT face=3D"Courier New" =
size=3D2>My problem=20
is that I don't want anyone connecting to the IP address of the Frame =
card=20
(pvc0) because this is just a serial IP assigned by our =
provider. I=20
wish to have the public connect to our internal public IP address on =
eth0 for=20
public services ie. port 80 as an example.</FONT></SPAN></DIV>
<DIV><SPAN class=3D830184814-14082001><FONT face=3D"Courier New"=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D830184814-14082001><FONT face=3D"Courier New" =
size=3D2>* Version 1=20
(doesn't work)</FONT></SPAN></DIV>
<DIV><SPAN class=3D830184814-14082001><FONT face=3D"Courier New"=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D830184814-14082001><FONT face=3D"Courier New" =
size=3D2>iptables -A=20
INPUT -i $INTIF -p tcp --syn -m state --state NEW=20
\<BR> -s $UNIVERSE --sport=20
$UNPRIVPORTS \<BR> -d $INTIP =
--dport=20
http -j ACCEPT</FONT></SPAN></DIV>
<DIV><SPAN class=3D830184814-14082001><FONT face=3D"Courier New"=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D830184814-14082001><FONT face=3D"Courier New" =
size=3D2>* Version 2=20
(does work)</FONT></SPAN></DIV>
<DIV><SPAN class=3D830184814-14082001><FONT face=3D"Courier New"=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D830184814-14082001><FONT face=3D"Courier New" =
size=3D2>iptables -A=20
INPUT -p tcp --syn -m state --state NEW=20
\<BR> -s $UNIVERSE --sport=20
$UNPRIVPORTS \<BR> -d $INTIP =
--dport=20
http -j ACCEPT<BR></FONT></SPAN></DIV>
<DIV><SPAN class=3D830184814-14082001><FONT face=3D"Courier New" =
size=3D2>My question=20
is why does specifying ALL interfaces work (ver 2) and specifying the =
actual=20
interface (ver 1) doesn't. If I understand the flow correctly, =
when=20
packets reach the IN-Route stage, will they not be routed to the INPUT =
chain of=20
the Internal interface which is their destination? I can't imagine =
that=20
the FORWARD chain would even be involved as the destination IS this=20
server. Everything is working specifying ALL interfaces but I'm =
puzzled as=20
to why and would appreciate hearing from someone who might shed some=20
light. Thanks a million.</FONT></SPAN></DIV>
<DIV><SPAN class=3D830184814-14082001><FONT face=3D"Courier New"=20
size=3D2></FONT></SPAN> </DIV>
<DIV><SPAN class=3D830184814-14082001><FONT face=3D"Courier New"=20
size=3D2>Regards,</FONT></SPAN></DIV>
<DIV><SPAN class=3D830184814-14082001><FONT face=3D"Courier New"=20
size=3D2>Harv</FONT></SPAN></DIV>
<DIV><SPAN class=3D830184814-14082001><FONT face=3D"Courier New" =
size=3D2>
<P><FONT face=3D"Courier New"=20
size=3D2>________________________________________________________________=
____<BR>Harv=20
Frost &n=
bsp; =20
En.gen (a Division of J. River, Inc.)<BR></FONT><A target=3D_blank=20
href=3D"mailto:frost@engen.com"><FONT face=3D"Courier New"=20
size=3D2>mailto:frost@engen.com</FONT></A><FONT face=3D"Courier New"=20
size=3D2> 2727 W. =
Baseline Rd=20
#13<BR></FONT><A target=3D_blank href=3D"http://www.engen.com/"><FONT=20
face=3D"Courier New" size=3D2>http://www.engen.com</FONT></A><FONT=20
face=3D"Courier New"=20
size=3D2> =
Tempe, AZ=20
85283<BR></FONT><A target=3D_blank href=3D"ftp://ftp.engen.com/"><FONT=20
face=3D"Courier New" size=3D2>ftp://ftp.engen.com</FONT></A><FONT =
face=3D"Courier New"=20
size=3D2> &nbs=
p; Tel:=20
602-438-1110 </FONT></P></DIV>
<DIV><BR></DIV></FONT></SPAN></BODY></HTML>
------=_NextPart_000_0007_01C12498.4D6B6F80--